Jan 8

L2L connections

Land to land (site to site) connections are best suited for routers since it can do multiple dynamic site VNP

  • WAN extension of a classical design
  • Configurations Steps
  • Handle design and Policy
  • Verify connectivity without IPSec (ping)
  • Create extended ACL to allow IPSec traffic into the router
  • Configure ISAKMP / IKE Phase 1 Policies
  • Create extended ACL That Defines Which is traffic to be protected for the tunnel
  • Create transform sets
  • Create a crypto map That binds together the peer’s information protection
  • Activate on the crypto map interface
  • Test IPSec tunnel



Information to Determine

  • L2L types of solutions:
  • Classic method (small number of peers or non-Cisco router or ASA / PIX)
  • GRE tunnels (medium number of peers Cisco)
  • DMVPN (large number of peers Cisco)
  • Authentication methods:
  • Pre-shared keys
  • Nounces RSA (signatures)
  • Certificates (Certificate Authority)
  • Name / IP address of remote IPSec peer
  • Traffic to be protected
  • Encryption Algorithm: DES, 3DES or AES
  • Hashing function to use: 1, 2 or 5
  • Life Time of the tunnel
  • Which interface on the traffic is leaving for the Public Network
  • Allow Traffic:

rt (config) # access-list permit udp ACL_ID dst_IP wild_mask src_IP wild_mask
eq isakmp | 500
rt (config) # access-list permit ACL_ID AHP | 51 dst_IP wild_mask src_IP wild_mask
rt (config) # access-list permit esp ACL_ID | 50 dst_IP wild_mask src_IP wild_mask
rt (config) # access-list permit udp ACL_ID dst_IP wild_mask src_IP wild_mask
Non-eq isakmp | 4500
rt (config) # access-list permit udp ACL_ID dst_IP wild_mask src_IP wild_mask
eq 10000
rt (config) # access-list permit tcp ACL_ID dst_IP wild_mask src_IP wild_mask
eq 10000

Enabling IPSec

  • Almost all commands begin with the router global IPSec crypto
  • ISAKMP enabled by default
  • Can use host names or IP addresses to identify peers
  • Better September statically host names to DNS spoofing Avoid

rt (config) # crypto isakmp identity address | hostname
rt (Config) # ip host hostname IP_addr_1 [IP_addre_2] [...]

  • Policy Management Connection
  • Phase 1 policies must match or tunnel will fail, EXCEPT the lifetime (With Some vendors it is compulsory too.) Cisco shortest lifetime used. Default 14800 seconds
  • # priority_ uniquely identifiés the policy
  • The smaller the number, the higher the priority
  • Most secure to Be Placed on top

rt (config) # crypto isakmp policy priority_ rt # (config-isakmp) # authentication rsa-sig | rsa-ENCR | rt pre-share (config-isakmp) # encryption des | 3des | aes | aes 192 | aes 256 rt ( config-isakmp) # group 1 | 2 | rt 5 (config-isakmp) # hash md5 | rt Sha (config-isakmp) # Lifetime # _of_seconds rt # show isakmp crypto policies

  • Phase 1 authentication

rt (config) # crypto key generate rsa
rt (config) # crypto isakmp key key address IP_Address 0 [no xauth]
(Or)
rt (config) # crypto isakmp key 0 key hostname host [no xauth]
rt (config) # pki trustpoint crypto Cert_Authority
RT (config) # url enrollment http://ca.server.com
rt (config) # revocation checking ninth
rt (config) # crypto pki crl request
rt (config) # crypto pki authenticate Cert_Authority

  • Phase 2 authentication

rt (config) # crypto ipsec security-association lifetime seconds # _SECONDS
rt (config) # crypto ipsec security-association lifetime kilobytes # _kbytes
rt (config) # access-list ACL permit proto local_addr local_mask rem_addr rem_mask
rt (config) # crypto ipsec transform-set tsname ts_1 [ts2 [TS3]]
rt (config) # mode tunnel | transport
rt # show crypto ipsec transform-set

  • Crypto Map
  • Ties together to ISAKMP / IKE components to form the SA date
  • Static
  • Connecting to IPSec devices
  • When we know information from the remote peer
  • We must know upfront: address, ACLs, transform in September

rt (config) # crypto map ipsec-map_name sequence_ # isakmp | ipsec-manual rt (config) # match address ACL rt (config) # local address interface rt (config) # set peer hostname | IP rt (config) # set pfs group1 | group2 | Group3 rt (config) # set transform-set tsname ts_1 [ts2 [TS3]] rt (config) # set security-association Lifetime … rt (config) # interface type number RT (config-if) # crypto map map_name rt # show crypto map

  • Dynamic
  • We do not know the remote peer or dialup / DHCP
  • Must Initiate the remote connection
  • One side static crypto map, dynamic other side
  • Router to create temporary static entry When the SA is formed

rt (config) # crypto dynamic-map map_name sequence_ #
RT (config-crypto-map) # etc.. ...

  • Dynamic maps are as embedded static entry into a tunnel (Cisco syntax)

rt (config) # crypto map static_map_name sequence_ #
ipsec-isakmp dynamic dyn_map_name
rt (config) # interface int_ID
RT (config-if) # crypto map static_map_name

  • AAA and static crypto maps

rt (config) # crypto map client authentication list static_map aaa_list
rt (config) # crypto map isakmp authorization list static_map client aaa_list
rt (config) # static_map crypto map client configuration address Initiate | Respond

Posted in Router |

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Designed By :Xperwebbuilder.com  All Right Reserved